The case for Layer 7 visibility with Cisco ACI

The case for Layer 7 visibility with Cisco ACI

Picture this . . .

You just bought Cisco ACI for your data center and now your major project is to segment your brownfield environment. Perhaps the need for this segmentation is driven by your auditors, or because you need to migrate legacy applications to your new private cloud, or even because you are embracing infrastructure automation and Cisco ACI is your chosen solution for network. Whatever the reason, the following scenario probably holds true - your environment likely consists of a few hundred workloads, but more likely it is comprised of several thousand workloads. And like most data centers, your virtual estate grew organically over time, providing for the needs of the business as it evolved. However, documentation of your environment is limited at best. Almost too often, changes to the environment such as “moves” and “adds” are left undocumented. And here you are, staring at vCenter, inundated with syslogs or netflow records, trying to make sense of it all. 

Where do you start to build policy? 

This is one of the areas that vArmour DSS helps to address with Cisco ACI deployments for brownfield environments. vArmour DSS is built as a tap or inline data path entity with full Layer 7 application aware capabilities. Each of your VMware ESXi nodes receives a small virtual machine that we call an Enforcement Point Interceptor (EPi). And each EPi works in concert to create a distributed system. One of the capabilities to highlight here with each EPi is that it sees all traffic within the virtual estate, since every workload within each hypervisor is plumbed to traverse its respective EPi.

The EPi delivers a rich set of data to the data plane that maps the context between users, networks, and applications. This view of contextual data is possible due to a combination of where vArmour DSS sits and what vArmour DSS is able to see from that position. From where vArmour DSS sits, it captures the full communication stack, from Layer 2 through Layer 7. It performs deep packet inspection (DPI) against the data collected where it identifies applications and additional metadata. This combination of “where it sits” and “what it sees” enables vArmour to derive full context of each session enabling a variety of use cases.

Policy Discovery at Scale 

In small environments, say 10 to 50 servers, a manual interrogation may be reasonable. If something breaks, you can respond fairly quickly. However, in large enterprise environments, you have massive scale issues. Once you reach the scale of a few hundred servers, manual policy construction becomes truly untenable.

To build policy at scale, you need the right telemetry. Applications consist of tiers (web, app, and database). Each tier has different needs: standard and unique ports, services for each port, and communication flows. In order to build policy at scale, you need a complete view of the communication flows between these tiers to create the full picture. This is where having Layer 7 visibility can help. With Layer 7 visibility and the full context of the data flow, you can stitch together all the dependencies to paint a total picture for policy. Also, it’s impractical to treat all assets the same even within a given application structure. This would mean that each and every service and port, IP and MAC needs cataloging and controls. With Layer 7 visibility, operators can focus on the services in use, along with their respective ports, eliminating the guesswork. In this case, Layer 7 visibility minimizes your work to deliver a complete view.

Network Incident Response

There’s a second case to be made for Layer 7 in incident response and troubleshooting contexts. For the same reason you were able to accelerate policy implementation with Layer 7 on your Cisco ACI infrastructure, you can now identify data path issues efficiently. The full context of the network traffic enables operators to effectively root cause issues and perform incident response and forensics for security use cases.


If you are a highly regulated enterprise, your mandate is to demonstrate that your policies are doing what you intended them to do. With a Layer 7 data path, you can demonstrate policy in action - with the prescribed behavior you intended for assets and the network. The advantage of this approach is that you can ensure that permitted communications in the data center, between clients and servers, are exactly as expected. As an example, let’s consider the use of DNS tunneling in the data center. DNS tunneling is a technique used to sneak around restricted environments using permitted ports. Every server must run DNS, standard port 53, so servers are built with DNS running and this is allowed even in a properly segmented environment. Without a “Layer 7 aware” system, a malicious insider could use port 53 to tunnel HTTPS over DNS and no one would know. Typically, this technique is used as by hackers to exfiltrate data, but there are documented cases of insider threat as well. Without Layer 7 visibility, your Security Operations team would neither see the violation nor be in a position to respond to the violation. Such tunneling would appear perfectly normal to a Layer 4 based security solution, with no alarms raised. This is why it is critical to monitor your open ports with a Layer 7 aware solution identifying these applications. In this case, vArmour delivers complete assurance along with Cisco ACI. 

Producing Evidential Matter for Compliance 

Any regulated enterprise has mandates for segmentation and is required to demonstrate evidential matter for compliance. The combined solution (vArmour DSS + Cisco ACI) simplifies auditing, reporting and the implementation of any required segmentation changes. In the case of vArmour, the Layer 7 visibility delivers evidence via point and click reports. If your auditor mandates network modifications, you can implement those changes and quickly generate a report showing the new modifications in the environment. This workflow minimizes the adverse impact of audits on your operations, thereby making reporting and change management expedient for all parties.


vArmour addresses a combination of challenges facing operators deploying segmentation using Cisco ACI. As a Layer 7 data path, vArmour DSS delivers the full context of the application with Layer 7 telemetry and the combined solution enables: 

  • The ability to discover and develop policy at scale
  • An accelerated process to troubleshoot network and security incidents
  • Validation of the authenticity of traffic (for assurance, as an independent control), and 
  • An efficient process to deliver evidential matter for regulatory compliance requirements.

Related Posts